[Senate Report 104-357]
[From the U.S. Government Publishing Office]
Calendar No. 563
104th Congress Report
SENATE
2d Session 104-357
_______________________________________________________________________
THE NATIONAL INFORMATION INFRASTRUCTURE PROTECTION ACT OF 1995
_______
August 27, 1996.--Ordered to be printed
Filed under the authority of the order of the Senate of August 2, 1996
_______________________________________________________________________
Mr. Hatch, from the Committee on the Judiciary, submitted the following
R E P O R T
[To accompany S. 982]
The Committee on the Judiciary, to which was referred the
bill (S. 982) to amend the Computer Fraud and Abuse Act, having
considered the same, reports favorably thereon with an
amendment in the nature of a substitute and recommends that the
bill, as amended, do pass.
CONTENTS
Page
I. Purpose..........................................................3
II. Legislative history..............................................3
III. Committee action.................................................5
IV. Section-by-section analysis......................................6
V. Regulatory impact statement.....................................14
VI. Cost estimate...................................................14
VII. Changes in existing law.........................................16
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Information Infrastructure
Protection Act of 1996''.
SEC. 2. COMPUTER CRIME.
Section 1030 of title 18, United States Code, is amended--
(1) in subsection (a)--
(A) in paragraph (1)--
(i) by striking ``knowingly accesses'' and
inserting ``having knowingly accessed'';
(ii) by striking ``exceeds'' and inserting
``exceeding'';
(iii) by striking ``obtains information'' and
inserting ``having obtained information'';
(iv) by striking ``the intent or'';
(v) by striking ``is to be used'' and
inserting ``could be used''; and
(vi) by inserting before the semicolon at the
end the following: ``willfully communicates,
delivers, transmits, or causes to be
communicated, delivered, or transmitted, or
attempts to communicate, deliver, transmit or
cause to be communicated, delivered, or
transmitted the same to any person not entitled
to receive it, or willfully retains the same
and fails to deliver it to the officer or
employee of the United States entitled to
receive it'';
(B) in paragraph (2)--
(i) by striking ``obtains information'' and
inserting ``obtains--
``(A) information''; and
(ii) by adding at the end the following new
subparagraph:
``(B) information from any department or agency of
the United States; or
``(C) information from any protected computer if the
conduct involved an interstate or foreign
communication;'';
(C) in paragraph (3)--
(i) by inserting ``nonpublic'' before
``computer of a department or agency'';
(ii) by striking ``adversely''; and
(iii) by striking ``the use of the
Government's operation of such computer'' and
inserting ``that use by or for the Government
of the United States'';
(D) in paragraph (4)--
(i) by striking ``Federal interest'' and
inserting ``protected''; and
(ii) by inserting before the semicolon the
following: ``and the value of such use is not
more than $5,000 in any 1-year period'';
(E) by striking paragraph (5) and inserting the
following:
``(5)(A) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a
protected computer;
``(B) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly
causes damage; or
``(C) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes
damage;''; and
(F) by inserting after paragraph (6) the following
new paragraph:
``(7) with intent to extort from any person, firm,
association, educational institution, financial institution,
government entity, or other legal entity, any money or other
thing of value, transmits in interstate or foreign commerce any
communication containing any threat to cause damage to a
protected computer;'';
(2) in subsection (c)--
(A) in paragraph (1), by striking ``such subsection''
each place that term appears and inserting ``this
section'';
(B) in paragraph (2)--
(i) in subparagraph (A)--
(I) by inserting ``, (a)(5)(C),''
after ``(a)(3)''; and
(II) by striking ``such subsection''
and inserting ``this section'';
(ii) by redesignating subparagraph (B) as
subparagraph (C);
(iii) by inserting immediately after
subparagraph (A) the following:
``(B) a fine under this title or imprisonment for not
more than 5 years, or both, in the case of an offense
under subsection (a)(2), if--
``(i) the offense was committed for purposes
of commercial advantage or private financial
gain;
``(ii) the offense was committed in
furtherance of any criminal or tortious act in
violation of the Constitution or laws of the
United States or of any State; or
``(iii) the value of the information obtained
exceeds $5,000;''; and
(iv) in subparagraph (C) (as redesignated),
(i) by striking ``such subsection''
and inserting ``this section''; and
(II) by adding ``and'' at the end;
(C) in paragraph (3)--
(i) in subparagraph (A)--
(I) by striking ``(a)(4) or
(a)(5)(A)'' and inserting ``(a)(4),
(a)(5)(A), (a)(5)(B), or (a)(7)''; and
(II) by striking ``such subsection''
and inserting ``this section''; and
(ii) in subparagraph (B)--
(I) by striking ``(a)(4) or (a)(5)''
and inserting ``(a)(4), (a)(5)(A),
(a)(5)(B), (a)(5)(C), or (a)(7)''; and
(II) by striking ``such subsection''
and inserting ``this section''; and
(D) by striking paragraph (4);
(3) in subsection (d), by inserting ``subsections (a)(2)(A),
(a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of '' before
``this section.'';
(4) in subsection (e)--
(A) in paragraph (2)--
(i) by striking ``Federal interest'' and
inserting ``protected'';
(ii) in subparagraph (A), by striking ``the
use of the financial institution's operation or
the Government's operation of such computer''
and inserting ``that use by or for the
financial institution or the Government''; and
(iii) by striking subparagraph (B) and
inserting the following:
``(B) which is used in interstate or foreign commerce
or communication;'';
(B) in paragraph (6), by striking ``and'' at the end;
(C) in paragraph (7), by striking the period at the
end and inserting ``; and''; and
(D) by adding at the end the following new
paragraphs:
``(8) the term `damage' means any impairment to the integrity
or availability of data, a program, a system, or information,
that--
``(A) causes loss aggregating at least $5,000 in
value during any 1-year period to one or more
individuals;
``(B) modifies or impairs, or potentially modifies or
impairs, the medical examination, diagnosis, treatment,
or care of one or more individuals;
``(C) causes physical injury to any person; or
``(D) threatens public health or safety; and
``(9) the term `government entity' includes the Government of
the United States, any State or political subdivision of the
United States, any foreign country, and any state, province,
municipality, or other political subdivision of a foreign
country.''; and
(5) in subsection (g)--
(A) by striking ``, other than a violation of
subsection (a)(5)(B),''; and
(B) by striking ``of any subsection other than
subsection (a)(5)(A)(ii)(II)(bb) or
(a)(5)(B)(ii)(II)(bb)'' and inserting ``involving
damage as defined in subsection (e)(8)(A)''.
I. Purpose
The Leahy-Kyl-Grassley amendment to the National
Information Infrastructure (NII) Protection Act, S. 982, would
strengthen the Computer Fraud and Abuse Act, 18 U.S.C. 1030, by
closing gaps in the law to protect better the confidentiality,
integrity, and security of computer data and networks.
II. Legislative History
The Computer Fraud and Abuse Act was originally enacted in
1984 to provide a clear statement of proscribed activity
concerning computers to the law enforcement community, those
who own and operate computers and those tempted to commit
crimes by unauthorized access to computers. Rather than having
to ``boot-strap'' enforcement efforts against computer crime by
relying on statutory restrictions designed for other offenses,
the Computer Fraud and Abuse statute, 18 U.S.C. 1030, set forth
in a single statute computer-related offenses. This first
Federal computer crime statute made it a felony to access
classified information in a computer without authorization and
a misdemeanor to access financial records or credit histories
in financial institutions or to trespass into a Government
computer.
In succeeding years, the statute has been significantly
amended only twice, in 1986 and 1994. In its current form, this
statute generally prohibits the unauthorized use of computers
to obtain classified or private financial record information,
to trespass in Federal Government computers, to commit frauds,
or to transmit harmful computer viruses. It also prohibits
fraudulent trafficking in computer access passwords.
Gaps in coverage remain under this statutory scheme.
Specifically, the law provides criminal penalties for persons
who, without or in excess of authorization, access any computer
to obtain classified information or financial record
information from a financial institution or consumer reporting
agency, or who access a ``Federal interest computer'' to
further an intended fraud. A ``Federal interest computer'' is
defined to include Federal Government and financial institution
computers and computers located in different States that are
``used in committing the offense.''
The privacy protection coverage of the statute has two
significant gaps. First, omitted from the statute's coverage is
information on any civilian or State and local government
computers, since the prohibition on unauthorized computer
access to obtain nonclassified information extends only to
computers used by financial institutions or by the Federal
Government when the perpetrator is an outsider. The second gap
is the significant limitation on the privacy protection given
to information held on Federal Government computers.
Specifically, the prohibition only applies to outsiders who
gain unauthorized access to Federal Government computers, and
not to Government employees who abuse their computer access
privileges to obtain Government information that may be
sensitive and confidential.
Likewise, omitted from the fraud protection coverage of the
statute is protection for the loss of computer time resulting
from computer trespasses. The 1986 amendments to the statute
created the ``computer use'' exception to section 1030(a)(4),
even though this Committee ``agree[d] that lost computer time
resulting form repeated or sustained trespasses can reach a
level of seriousness sufficient to warrant Federal
prosecution.'' Senate Judiciary Committee report No. 99-432,
99th Cong., 2d sess., at p. 10 (1986). At the time of the 1986
amendments, such fraudulent computer usage was considered
prosecutable under another section 1030(a)(5), when the lost
computer time resulted from intentional damage to the computer.
The current statute also penalizes any person who uses a
computer in interstate commerce or communications to cause the
transmission of a computer virus or other harmful computer
program. Omitted from the coverage of this ``computer damage''
provision are Government and financial institution computers
not used in interstate communications, such as intrastate local
area networks used by Government agencies that contain
sensitive and confidential information. Also omitted are
computers used in foreign communications or commerce, despite
the fact that hackers are often foreign-based. For example, the
1994 intrusion into the Rome Laboratory at Grifess Air Force
Base in New York, was perpetrated by a 16-year-old hacker in
the United Kingdom. More recently, in March 1996, the Justice
Department tracked down a young Argentinean man who had broken
into Harvard University's computers from Buenos Aires and used
those computers as a staging ground to hack into many other
computer sites, including the Defense Department and NASA.
On June 29, 1995, Senators Kyl, Leahy, and Grassley
introduced the NII Protection Act, S. 982. At hearings in both
the House of Representatives and the Senate, representatives
from Federal law enforcement agencies expressed the need for,
and their support of, this bill. Specifically, Attorney General
Janet Reno discussed the provisions of S. 982 in her October
30, 1995, responses to written questions in connection with the
June 27, 1995, Judiciary Committee oversight hearing of the
Department of Justice; Federal Bureau of Investigation Director
Louis Freeh testified about S. 982 during the February 28,
1996, joint hearing with the Select Committee on Intelligence
and the Judiciary Committee on economic espionage; and U.S.
Secret Service Deputy Assistant Director of Investigations
Robert Rasor testified about S. 982 during the October 11,
1995, hearing of the House Committee on Banking and Financial
Services Subcommittee on Domestic and International Monetary
Policy.
As intended when the law was originally enacted, the
Computer Fraud and Abuse statute facilitates addressing in a
single statute the problem of computer crime, rather than
identifying and amending every potentially applicable statute
affected by advances in computer technology. As computers
continue to proliferate in businesses and homes, and new forms
of computer crimes emerge, Congress must remain vigilant to
ensure that the Computer Fraud and Abuse statute is up-to-date
and provides law enforcement with the necessary legal framework
to fight computer crime. The NII Protection Act will likely not
represent the last amendment to this statute, but is necessary
and constructive legislation to deal with the current increase
in computer crime.
III. Committee Action
On June 13, 1996, the Committee on the Judiciary first
considered the NII Protection Act, S. 982, as an amendment made
by Senators Leahy, Kyl, and Grassley to H.R. 1533, a bill to
amend title 18, United States Code, to increase the penalty for
escaping from a Federal prison. At that time, with a quorum
present, by voice vote, the Committee unanimously accepted the
Leahy-Kyl-Grassley amendment to H.R. 1533, and unanimously
ordered H.R. 1533, so amended, favorably reported.
On August 1, 1996, the Committee on the Judiciary, with a
quorum present, again accepted an amendment in the nature of a
substitute to S. 982 offered by Senator Leahy, on behalf of
himself and Senators Kyl and Grassley. The amendment included
the provisions in the S. 982, as introduced, with one
modification. As discussed in more detail below, the amendment
inserted the word ``nonpublic'' before ``computer of a
department or agency'' in section 2(1)(C)(I) of the bill. The
Leahy-Kyl-Grassley amendment was accepted by voice vote, and
the Committee, also by voice vote, then unanimously ordered S.
982, as amended, favorably reported.
IV. Section-by-Section Analysis
detailed discussion of the nii protection act
The bill amends five of the prohibited acts in, and adds a
new prohibited act to, 18 U.S.C. 1030(a). Each of the amended
provisions is discussed below.
(1) Amendments and addition to prohibited acts
(A) Subsection 1030(a)(1)--Protection of classified
government information
The bill would bring the protection for classified national
defense or foreign relations information maintained on
computers in line with our other espionage laws. Section
1030(a)(1) currently provides that anyone who knowingly
accesses a computer without authorization or exceeds authorized
access and obtains classified information ``with the intent or
reason to believe that such information so obtained is to be
used to the injury of the United States, or to the advantage of
any foreign nation'' is subject to a fine or imprisonment for
not more than 10 years for a first offense. This scienter
element apparently was originally included because it is
contained in 18 U.S.C. 794(a). Section 794(a), however,
provides for life imprisonment, whereas section 1030(a)(1)
provides for only a 10-year term of imprisonment. Therefore,
the NII Protection Act would amend section 1030(a)(1) to track
the scienter requirement of 18 U.S.C. 793(e), which also
provides a maximum penalty of 10 years imprisonment for
obtaining from any source certain items relating to the
national defense.
As amended, section 1030(a)(1) prohibits anyone from
knowingly accessing a computer, without, or in excess of,
authorization, and obtaining classified national defense,
foreign relations information, or restricted data under the
Atomic Energy Act, with reason to believe the information could
be used to the injury of the United States or the advantage of
a foreign country, and willfully communicating, delivering or
transmitting, or causing the same, or willfully retaining the
information and failing to deliver it to the appropriate
Government agent. The amendment specifically covers the conduct
of a person who deliberately breaks into a computer without
authority, or an insider who exceeds authorized access, and
thereby obtains classified information and then communicates
the information to another person, or retains it without
delivering it to the proper authorities.
Although there is considerable overlap between 18 U.S.C.
793(e) and section 1030(a)(1), as amended by the NII Protection
Act, the two statutes would not reach exactly the same conduct.
Section 1030(a)(1) would target those persons who deliberately
break into a computer to obtain properly classified Government
secrets then try to peddle those secrets to others, including
foreign governments. In other words, unlike existing espionage
laws prohibiting the theft and peddling of Government secrets
to foreign agents, section 1030(a)(1) would require proof that
the individual knowingly used a computer without authority, or
in excess of authority, for the purpose of obtaining classified
information. In this sense then, it is the use of the computer
which is being proscribed, not the unauthorized possession of,
access to, or control over the classified information itself.
(B) Subsection 1030(a)(2)--Protection of financial,
Government and other computer information
The bill would amend section 1030(a)(2) to increase
protection for the privacy and confidentiality of computer
information. Section 1030(a)(2) currently gives special
protection only to information on the computer systems of
financial institutions and consumer reporting agencies, because
of their significance to our country's economy and the privacy
of our citizens. Yet, increasingly computer systems provide the
vital backbone to many other industries, such as
transportation, power supply systems, and telecommunications.
The bill would amend section 1030(a)(2) and extend its coverage
to information held on (1) Federal Government computers and (2)
computers used in interstate or foreign commerce on
communications, if the conduct involved an interstate or
foreign communication.
As amended, section 1030(a)(2) would penalize those who
intentionally access computers without, or in excess of,
authorization to obtain government information and, where
appropriate, information held on private computers.
``Information'' as used in this subsection includes
information stored in intangible form. Moreover, the term
``obtaining information'' includes merely reading it. There is
no requirement that the information be copied or transported.
This is critically important because, in an electronic
environment, information can be ``stolen'' without asportation,
and the original usually remains intact. This interpretation of
``obtaining information'' is consistent with congressional
intent expressed as follows in connection with 1986 amendments
to the Computer Fraud and Abuse statute:
Because the premise of this subsection is privacy
protection, the Committee wishes to make clear that
`obtaining information' in this context includes mere
observation of the data. Actual asportation, in the
sense of physically removing the date from its original
location or transcribing the data, need not be proved
in order to establish a violation of this subsection.
Senate Judiciary Committee report No. 99-432, 99th Cong., 2d
sess., at pp. 6-7 (1986).
The proposed subsection 1030(a)(2)(C) is intended to
protect against the interstate or foreign theft of information
by computer. This information, stored electronically, is
intangible, and it has been held that the theft of such
information cannot be charged under more traditional criminal
statutes such as Interstate Transportation of Stolen Property,
18 U.S.C. 2314. See United States v. Brown, 925 F.2d 1301, 1308
(10th Cir. 1991). This subsection would ensure that the theft
of intangible information by the unauthorized use of a computer
is prohibited in the same way theft of physical items are
protected. In instances where the information stolen is also
copyrighted, the theft may implicate certain rights under the
copyright laws. The crux of the offense under subsection
1030(a)(2)(C), however, is the abuse of a computer to obtain
the information.
The seriousness of a breach in confidentiality depends, in
considerable part, on the value of the information taken, or on
what is planned for the information after it is obtained. Thus,
the statutory penalties are structured to provide that
obtaining information of minimal value is only a misdemeanor,
but obtaining valuable information, or misusing information in
other more serious ways, is a felony.
The sentencing scheme for section 1030(a)(2) is part of a
broader effort to ensure that sentences for section 1030
violations adequately reflect the nature of the offense. Thus,
under the bill, the harshest penalties are reserved for those
who obtain classified information that could be used to injure
the United States or assist a foreign state. Those who
improperly use computers to obtain other types of information--
such as financial records, nonclassified Government
information, and information of nominal value from private
individuals or companies--face only misdemeanor penalties,
unless the information is used for commercial advantage,
private financial gain or to commit any criminal or tortious
act.
For example, individuals who intentionally break into, or
abuse their authority to use, a computer and thereby obtain
information of minimal value of $5,000 or less, would be
subject to a misdemeanor penalty. The crime becomes a felony if
the offense was committed for purposes of commercial advantage
or private financial gain, for the purpose of committing any
criminal or tortious act in violation of the Constitution or
laws of the United States or of any State, or if the value of
the information obtained exceeds $5,000.
The terms ``for purposes of commercial advantage or private
financial gain'' and ``for the purpose of committing any
criminal or tortious act'' are taken from the copyright statute
(17 U.S.C. 506(a)) and the wiretap statute (18 U.S.C.
2511(1)(d)), respectively, and are intended to have the same
meaning as in those statutes.
Some conduct may violate more than one subsection of
section 1030(a)(2). For example, a particular Government
computer might be covered by both sections 1030(a)(2)(B) and
(a)(2)(C). This overlap serves to eliminate legal issues that
may arise if the provisions were mutually exclusive.
Conceivably, in a given case, it may not be clear whether
information taken from a Government contractor's computer
constitutes ``information from any department or agency of the
United States'' under section 1030(a)(2)(B), but the offense
might still be chargeable under section 1030(a)(2)(C) if the
elements of that subsection are satisfied. Similarly, there may
be some overlap between section 1030(a)(2) and 18 U.S.C. 641
(relating to the theft and conversion of public money, records
or property), but the former does not preempt the latter.
(C) Subsection 1030(a)(3)--Protection for Government
computer systems
The NII Protection Act would make three modifications to
subsection 1030(a)(3), which is focused on providing protection
to Federal Government computers from outside hackers. This
provision currently prohibits a person from intentionally
accessing, without authorization, a Federal Government computer
and, if the computer is not exclusively used by the Government,
then the conduct must ``adversely affect[] the use of the
Government's operation of such computer.''
First, the bill would delete the word ``adversely'' because
this term suggests, inappropriately, that trespassing in a
computer used by the Federal Government, even if not
exclusively, may be benign. Second, the bill would modify
``computer of a department or agency of the United States''
with the term ``non-public.'' This would make clear that
unauthorized access is barred to any ``non-public'' Federal
Government computer and that a person who is permitted to
access publicly available Government computers, for example,
via an agency's World Wide Web site, may still be convicted
under (a)(3) for accessing without authority any nonpublic
Federal Government computer. Finally, the phrase ``the use of
the Government's operation of such computer'' would be
clarified with the term ``that use.'' When a computer is used
for the Government, the Government is not necessarily the
operator, and the old phrase may lead to confusion. Consistent
with this change, a similar change is made by the NII
Protection Act in the reference to government and financial
institution computers in the new definition of ``protected
computer'' in section 1030(e)(2)(A).
(D) Subsection 1030(a)(4)--Increased penalties for
significant unauthorized use of computers
The bill amends 18 U.S.C. 1030(a)(4) to ensure that
sanctions apply when the fraudulent use of a computer without,
or in excess of, authority is significant. The current statute
penalizes, with fines and up to 5 years' imprisonment,
knowingly accessing a computer with the intent to defraud and
by means of such conduct furthering the fraud and obtaining
anything of value. This provision contains a ``computer use''
exception that exempts fraudulent conduct to obtain only the
use of the computer. While every trespass in a computer should
not be converted into a felony scheme to defraud, a blanket
exception for ``computer use'' is too broad. Hackers, for
example, have broken into Cray supercomputers for the purpose
of running password cracking programs, sometimes amassing
computer time worth far more than $5,000. In light of the large
expense to the victim caused by some of these trespassing
incidents, the amendment would limit the ``computer use''
exception to cases where the stolen computer use involved less
than $5,000 during any one-year period.
(E) Subsection 1030(a)(5)--Protection from damage to
computers
The bill amends subsection 1030 (a)(5) to further protect
computers and computer systems covered by the statute from
damage both by outsiders, who gain access to a computer without
authorization, and by insiders, who intentionally damage a
computer. The law currently protects computers or computer
systems from damage caused by either outside hackers or
malicious insiders ``through means of a computer used in
interstate commerce or communications.''
Senator Leahy was the principal sponsor of the 1994
amendment to subsection 1030(a)(5), which was intended to
broaden the reach of the provision by replacing the term
``federal interest computer'' with the term ``computer used in
interstate commerce or communication.'' The latter term is
broader because the definition of ``federal interest computer''
in section 1030(e)(2)(B) covers a computer ``which is one of
two or more computers used in committing the offense, not all
of which are located in the same State.'' This meant that
hackers who attacked other computers in their own State were
not subject to Federal jurisdiction, notwithstanding the fact
that their actions may have severely affected interstate or
foreign commerce. For example, individuals who attack telephone
switches may disrupt interstate and foreign calls. The 1994
change remedied that defect.
The definition of Federal interest computer, however,
actually covered more than simply interstate activity. More
specifically, section 1030(e)(2)(A) covered, generically,
computers belonging to the U.S. Government or financial
institutions, or those used by such entities on a nonexclusive
basis if the conduct constituting the offense affected the
Government's operation or the financial institution's operation
of such computer. By changing section 1030(a)(5) from ``federal
interest computer'' to ``computer used in interstate commerce
or communication'' in the 1994 amendment, Congress
inadvertently eliminated Federal protection for those
Government and financial institution computers not used in
interstate communications. For example, the integrity and
availability of classified information contained in an
intrastate local area network may not have been protected under
the 1994 version of section 1030(a)(5), although its
confidentiality continued to be protected under section
1030(a)(1).
Thus, the current provision falls short of protecting
government and financial institution computers from intrusive
codes, such as computer ``viruses'' or ``worms.'' Generally,
hacker intrusions that inject ``worms'' or ``viruses'' into a
government or financial institution computer system which is
not used in interstate communications is not a Federal offense.
The NII Protection Act would change that limitation and extend
Federal protection from intentionally damaging viruses to
government and financial institution computers, even if they
are not used in interstate communications.
Specifically, as amended, subsection 1030(a)(5)(A) would
penalize, with a fine and up to 5 years' imprisonment, anyone
who knowingly causes the transmission of a program,
information, code or command and intentionally causes damage to
a protected computer. This would cover anyone who intentionally
damages a computer, regardless of whether they were an outsider
or an insider otherwise authorized to access the computer.
Subsection 1030(a)(5)(B) would penalize, with a fine and up to
5 years' imprisonment, anyone who intentionally accesses a
protected computer without authorization and, as a result of
that trespass, recklessly causes damage. This would cover
outsiders hackers into a computer who recklessly cause damage.
Finally, subsection 1030(a)(5)(C) would impose a misdemeanor
penalty, of a fine and up to 1 year imprisonment, for
intentionally accessing a protected computer without
authorization and, as a result of that trespass, causing
damage. This would cover outside hackers into a computer who
negligently or accidentally cause damage.
In sum, under the bill, insiders, who are authorized to
access a computer, face criminal liability only if they intend
to cause damage to the computer, not for recklessly or
negligently causing damage. By contrast, outside hackers who
break into a computer could be punished for any intentional,
reckless, or other damage they cause by their trespass.
The rationale for this difference in treatment deserves
explanation. Although those who intentionally damage a system,
without authority, should be punished regardless of whether
they are authorized users, it is equally clear that anyone who
knowingly invades a system without authority and causes
significant loss to the victim should be punished as well, even
when the damage caused is not intentional. In such cases, it is
the intentional act of trespass that makes the conduct
criminal. To provide otherwise is to openly invite hackers to
break into computer systems, safe in the knowledge that no
matter how much damage they cause, it is no crime unless that
damage was either intentional or reckless. Rather than send
such a dangerous message (and deny victims any relief), it is
better to ensure that section 1030(a)(5) criminalizes all
computer trespass, as well as intentional damage by insiders,
albeit at different levels of severity.
The 1994 amendment required both ``damage'' and ``loss,''
but it is not always clear what constitutes ``damage.'' For
example, intruders often alter existing log-on programs so that
user passwords are copied to a file which the hackers can
retrieve later. After retrieving the newly created password
file, the intruder restores the altered log-on file to its
original condition. Arguably, in such a situation, neither the
computer nor its information is damaged. Nonetheless, this
conduct allows the intruder to accumulate valid user passwords
to the system, requires all system users to change their
passwords, and requires the system administrator to devote
resources to resecuring the system. Thus, although there is
arguably no ``damage,'' the victim does suffer ``loss.'' If the
loss to the victim meets the required monetary threshold, the
conduct should be criminal, and the victim should be entitled
to relief.
The bill therefore defines ``damage'' in new subsection
1030(e)(8), with a focus on the harm that the law seeks to
prevent. As in the past, the term ``damage'' will require
either significant financial losses under section
1030(e)(8)(A), or potential impact on medical treatment under
section 1030(e)(8)(B). The bill addresses two other concerns:
causing physical injury to any person under new section
1030(e)(8)(C), and threatening the public health or safety
under new section 1030(e)(8)(D). As the NII and other network
infrastructures continue to grow, computers will increasingly
be used for access to critical services such as emergency
response systems and air traffic control, and will be critical
to other systems which we cannot yet anticipate. Thus, the
definition of ``damage'' is amended to be sufficiently broad to
encompass the types of harm against which people should be
protected.
The bill also amends the civil penalty provision under
section 1030(g) to be consistent with the amendments to section
1030(a)(5). The amendment to section 1030(g) provides that
victims of computer abuse can maintain a civil action against
the violator to obtain compensatory damages, injunctive relief,
or other equitable relief. Damages are limited to economic
damages, unless the defendant violated section 1030(a)(5)(A) or
section 1030(a)(5)(B); that is, unless the actor intentionally
caused damage, or recklessly caused damage while trespassing in
a computer.
(F) Subsection 1030(a)(7)--Protection from threats directed
against computers
The bill would add a new subsection (a)(7) to section 1030
to address a new and emerging problem of computer-age
blackmail. This is a high-tech variation on old fashioned
extortion. According to the Department of Justice, threats have
been made against computer systems in several instances. One
can imagine situations in which hackers penetrate a system,
encrypt a database and then demand money for the decoding key.
This new provision would ensure law enforcement's ability to
prosecute modern-day blackmailers, who threaten to harm or shut
down computer networks unless their extortion demands are met.
The Attorney General explained in written responses to
questions of Senator Leahy on October 30, 1995:
These cases, although similar in some ways to other
cases involving extortionate threats directed against
persons or property, can be different from traditional
extortion cases in certain respects. It is not entirely
clear that existing extortion statutes, which protect
against physical injury to person or property, will
cover intangible computerized information.
For example, the ``property'' protected under existing
laws, such as the Hobbs Act, 18 U.S.C. 1951 (interference with
commerce by extortion), or 18 U.S.C. 875(d) (interstate
communication of threat to injure the property of another),
does not clearly include the operation of a computer, the data
or programs stored in a computer or its peripheral equipment,
or the decoding keys to encrypted data.
New section 1030(a)(7) would close this gap in the law and
provide penalties for the interstate or international
transmission of threats directed against computers and computer
systems. This covers any interstate or international
transmission of threats against computers, computer networks,
and their data and programs whether the threat is received by
mail, a telephone call, electronic mail, or through a
computerized messaging service. Unlawful threats could include
interference in any way with the normal operation of the
computer or system in question, such as denying access to
authorized users, erasing or corrupting data or programs,
slowing down the operation of the computer or system, or
encrypting data and then demanding money for the key.
(2) Subsection 1030(c)--Increased penalties for recidivists and other
sentencing changes
The bill amends 18 U.S.C. 1030(c) to increase penalties for
those who have previously violated any subsection of section
1030(a). The current statute subjects recidivists to enhanced
penalties only if they violated the same subsection twice. For
example, a person who violates the current statute by
committing fraud by computer under subsection 1030(a)(4) and
later commits another computer crime offense by intentionally
destroying medical records under subsection 1030(a)(5), is not
treated as a recidivist because his conduct violated two
separate subsections of section 1030. The amendment provides
that anyone who is convicted twice of committing a computer
offense under subsection 1030(a) would be subjected to enhanced
penalties.
The penalty provisions in section 1030(c) are also changed
to reflect modifications to the prohibited acts, as discussed
above.
(3) Subsection 1030(d)--Jurisdiction of Secret Service
The bill amends subsection 1030(d) to grant the U.S. Secret
Service authority to investigate offenses only under
subsections (a)(2) (A) and (B), (a)(3), (a)(4), (a)(5) and
(a)(6). The current statute grants the Secret Service authority
to investigate any offense under section 1030, subject to
agreement between the Attorney General and the Secretary of the
Treasury. The new crimes proposed in the bill, however, do not
fall under the Secret Service's traditional jurisdiction.
Specifically, proposed subsection 1030(a)(2)(C) addresses gaps
in 18 U.S.C. 2314 (interstate transportation of stolen
property), and proposed section 1030(a)(7) addresses gaps in 18
U.S.C. 1951 (the Hobbs Act) and 875 (interstate threats). These
statutes are within the jurisdiction of the Federal Bureau of
Investigation, which should retain exclusive jurisdiction over
these types of offenses, even when they are committed by
computer.
(4) Subsection 1030(e)--New definitions
The NII Protection Act strikes the current definition of
``Federal interest computer'' and adds new definitions for
``protected computer,'' ``damage,'' and ``government entity.''
The bill would amend subsection 1030(e)(2) by replacing the
term ``Federal interest computer'' with the new term
``protected computer'' and a new definition. The new definition
of ``protected computer'' would modify the current description
in subsection 1030(e)(2)(A) of computers used by financial
institutions or the U.S. Government, to make clear that if the
computers are not exclusively used by those entities, the
computers are protected if the offending conduct affects the
use by or for a financial institution or the Government. The
new definition also replaces the current limitation in
subsection 1030(e)(2)(B) of ``Federal interest computer'' being
``one of two or more computers used in committing the offense,
not all of which are located in the same State.'' Instead,
``protected computer'' would include computers ``used in
interstate or foreign commerce or communications.'' Thus,
hackers who steal information or computer usage from computers
in their own State would be subject to this law, under amended
section 1030(a)(4), if the requisite damage threshold is met
and the computer is used in interstate commerce or foreign
commerce or communications.
The term ``damage'' in new subsection 1030(e)(8), as used
in the proposed amendment of subsection 1030(a)(5), would mean
any impairment to the integrity or availability of data,
information, program or system which (A) causes loss of more
than $5,000 during any 1-year period; (B) modifies or impairs
the medical examination, diagnosis or treatment of a person;
(C) causes physical injury to any person; or (D) threatens the
public health or safety.
The term ``government entity'' in new subsection
1030(e)(9), as used in the new proposed subsection 1030(a)(7),
would be defined to include the U.S. Government, any State or
political subdivision thereof, any foreign country, and any
state, provincial, municipal, or other political subdivision of
a foreign country.
(5) Subsection 1030(g)--Civil actions
The bill amends the civil penalty provision in subsection
1030(g) to reflect the proposed changes in subsection
1030(a)(5). The 1994 amendments to the act authorized certain
victims of computer abuse to maintain civil actions against
violators to obtain compensatory damages, injunctive relief, or
other equitable relief, with damages limited to economic
damages, unless the violator modified or impaired the medical
examination, diagnosis or treatment of a person.
Under the bill, damages recoverable in civil actions by
victims of computer abuse would be limited to economic losses
for violations causing losses of $5,000 or more during any 1-
year period. No limit on damages would be imposed for
violations that modified or impaired the medical examination,
diagnosis or treatment of a person; caused physical injury to
any person; or threatened the public health or safety.
V. Regulatory Impact Statement
Pursuant to paragraph 11(b), rule XXVI of the Standing
Rules of the Senate, the Committee, after due consideration,
concludes that Senate bill 982 will not have direct regulatory
impact.
VI. Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 6, 1996.
Hon. Orin G. Hatch,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 982, the National
Information Infrastructure Protection Act of 1996, as reported
by the Senate Committee on the Judiciary on August 2, 1996.
Enacting S. 982 could affect direct spending and receipts.
Therefore, pay-as-you-go procedures would apply to this bill.
If you wish further details on this estimate, we will be
pleased to provide them.
Sincerely,
James L. Blum
(For June E. O'Neill).
congressional budget office cost estimate
1. Bill number: S. 982.
2. Bill title: National Information Infrastructure
Protection Act of 1996.
3. Bill status: As reported by the Senate Committee on the
Judiciary on August 2, 1996.
4. Bill purpose: S. 982 would make various amendments to
the laws that protect the confidentiality, integrity, and
security of computer systems and the information maintained on
such systems. In particular, the bill would amend existing
statutes relating to five computer-related crimes and would add
a new statute making the interstate transmission of threats
directed against computers or computer systems a federal crime.
5. Estimated cost to the Federal Government: CBO estimates
that enacting S. 982 would not have any significant budgetary
impact. Although the legislation could affect direct spending
and receipts, we estimate that any such changes would be
negligible.
6. Basis of estimate: Based on information from the U.S.
Sentencing Commission, CBO expects that enacting S. 982 could
increase the number of prosecutions brought by the federal
government and could increase governmental receipts from
penalties for committing computer-related crimes. Fewer than 50
persons are convicted of existing computer-related crimes each
year and CBO does not expect that the caseload under S. 982
would increase significantly. Thus, CBO estimates that the
Justice Department would not need significant additional
resources to enforce the provisions of the bill.
Furthermore, CBO estimates that any increase in prison time
served by people prosecuted under the statutes affected by S.
982 would be negligible and that the government would collect
less than $500,000 a year in additional fines. Such fines are
recorded in the budget as governmental receipts, deposited in
the Crime Victims Fund, and spent in the following year.
Because the increase in direct spending would be the same as
the amount of fines collected with a one-year lag, the
additional direct spending also would be less than $500,000 a
year.
7. Pay-as-you-go considerations: Section 252 of the
Balanced Budget and Emergency Deficit Control Act of 1985 sets
up pay-as-you-go procedures for legislation affecting direct
spending or receipts through 1998. S. 982 would establish new
fines and increase some existing ones. CBO expects that any
additional receipts would be negligible and thus the pay-as-
you-go impact of this bill, as shown in the following table,
also would be negligible.
[By fiscal year, in millions of dollars]
------------------------------------------------------------------------
1996 1997 1998
------------------------------------------------------------------------
Change in outlays............................ 0 0 0
Change in receipts........................... 0 0 0
------------------------------------------------------------------------
8. Estimated impact on State, local, and tribal
governments: S. 982 contains no intergovernmental mandates as
defined in the Unfunded Mandates Reform Act of 1995 (Public Law
104-4) and would not impose costs on State, local, or tribal
governments.
9. Estimated impact on the private sector: This bill would
impose no new private-sector mandates as defined in Public Law
104-4.
10. Previous CBO estimate: On July 25, 1996, CBO
transmitted a cost estimate for H.R. 1533, the Sexual Offender
Tracking and Identification Act of 1996, as reported by the
Senate Committee on the Judiciary on June 13, 1996. Section 13
of H.R. 1533 is identical to S. 982. The other provisions of
H.R. 1533, as approved by the Senate Committee on the
Judiciary, were not included in S. 982.
11. Estimate prepared by: Federal cost estimate: Susanne S.
Mehlman and Stephanie Weiner. Impact on State, local, and
tribal governments: Leo Lex. Impact on the private sector:
Matthew Eyles.
12. Estimate approved by: Robert A. Sunshine (for Paul N.
Van de Water, Assistant Director for Budget Analysis).
VII. Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the changes in existing law made
by the bill, as reported by the committee, are shown as follows
(existing law proposed to be omitted is enclosed in bold
brackets, new matter is printed in italic, and existing law
with no changes is printed in roman):
UNITED STATES CODE
* * * * * * *
TITLE 18--CRIMES AND CRIMINAL PROCEDURE
* * * * * * *
CHAPTER 47--FRAUD AND FALSE STATEMENTS
* * * * * * *
Sec. 1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) [knowingly accesses] having knowingly accessed a
computer without authorization or [exceeds] exceeding
authorized access, and by means of such conduct
[obtains information] having obtained information that
has been determined by the United States Government
pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons
of national defense or foreign relations, or any
restricted data, as defined in paragraph y of section
11 of the Atomic Energy Act of 1954, with [the intent
or] reason to believe that such information so obtained
[is to be used] could be used to the injury of the
United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or
causes to be communicated, delivered, or transmitted,
or attempts to communicate, deliver, transmit or cause
to be communicated, delivered, or transmitted the same
to any person not entitled to receive it, or willfully
retains the same and fails to deliver it to the officer
or employee of the United States entitled to receive
it;
(2) intentionally accesses a computer without
authorization or exceeds authorized access, and thereby
[obtains information] obtains--
(A) information contained in a financial
record of a financial institution, or of a card
issuer as defined in section 1602(n) of title
15, or contained in a file of a consumer
reporting agency on a consumer, as such terms
are defined in the Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.);
(B) information from any department or agency
of the United States; or
(C) information from any protected computer
if the conduct involved an interstate or
foreign communication;
(3) intentionally, without authorization to access
any nonpublic computer of a department or agency of the
United States, accesses such a computer of that
department or agency that is exclusively for the use of
the Government of the United States or, in the case of
a computer not exclusively for such use, is used by or
for the Government of the United States and such
conduct [adversely] affects [the use of the
Government's operation of such computer] that use by or
for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a
[Federal interest] protected computer without
authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and
obtains anything of value, unless the object of the
fraud and the thing obtained consists only of the use
of the computer and the value of such use is not more
than $5,000 in any 1-year period;
[(5)(A) through means of a computer used in
interstate commerce or communications, knowingly causes
the transmission of a program, information, code, or
command to a computer or computer system if
[(i) the person causing the transmission
intends that such transmission will
[(I) damage, or causes damage to, a
computer, computer system, network,
information, data, or program; or
[(II) withhold or deny, or cause the
withholding or denial, of the use of a
computer, computer services, system or
network, information, data or program;
and
[(ii) the transmission of the harmful
component of the program, information, code, or
command--
[(I) occurred without the
authorization of the persons or
entities who own or are responsible for
the computer system receiving the
program, information, code, or command;
and
[(II)(aa) causes loss or damage to
one or more other persons of value
aggregating $1,000 or more during any
1-year period; or
[(bb) modifies or impairs, or
potentially modifies or impairs, the
medical examination, medical diagnosis,
medical treatment, or medical care of
one or more individuals; or
[(B) through means of a computer used in interstate
commerce or communication, and knowingly causes the
transmission of a program, information, code, or
command to a computer or computer system--
[(i) with reckless disregard of a substantial
and unjustifiable risk that the transmission
will--
[(I) damage, or cause damage to, a
computer, computer system, network,
information, data, or program; or
[(II) withhold or deny or cause the
withholding or denial of the use of a
computer, computer services, system,
network, information, data or program;
and
[(ii) if the transmission of the harmful
component of the program, information, code, or
command--
[(I) occurred without the authorization of
the persons or entities who own or are
responsible for the computer system receiving
the program, information, code, or command; and
[(II)(aa) causes loss or damage to
one or more other persons of a value
aggregating $1,000 or more during any
1-year period; or
[(bb) modifies or impairs, or
potentially modifies or impairs, the
medical examination, medical diagnosis,
medical treatment, or medical care of
one or more individuals;]
(5)(A) knowingly causes the transmission of a
program, information, code, or command, and as a result
of such conduct, intentionally causes damage without
authorization, to a protected computer;
(B) intentionally accesses a protected computer
without authorization, and as a result of such conduct,
recklessly causes damage; or
(C) intentionally accesses a protected computer
without authorization, and as a result of such conduct,
causes damage;
(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information through which a computer may be accessed
without authorization, if--
(A) such trafficking affects interstate or
foreign commerce; or
(B) such computer is used by or for the
Government of the United States; or
(7) with intent to extort from any person, firm,
association, educational institution, financial
institution, government entity, or other legal entity,
any money or other thing of value, transmits in
interstate or foreign commerce any communication
containing any threat to cause damage to a protected
computer;
shall be punished as provided in subsection (c) of this
section.
(b) Whoever attempts to commit an offense under subsection
(a) of this section shall be punished as provided in subsection
(c) of this section.
(c) The punishment for an offense under subsection (a) or
(b) of this section is--
(1)(A) a fine under this title or imprisonment for
not more than ten years, or both, in the case of an
offense under subsection (a)(1) of this section which
does not occur after a conviction for another offense
under [such subsection] this section, or an attempt to
commit an offense punishable under this subparagraph;
and
(B) a fine under this title or imprisonment for not
more than twenty years, or both, in the case of an
offense under subsection (a)(1) of this section which
occurs after a conviction for another offense under
[such subsection] this section, or an attempt to commit
an offense punishable under this subparagraph; and
(2)(A) a fine under this title or imprisonment for
not more than one year, or both, in the case of an
offense under subsection (a)(2), (a)(3), (a)(5)(C), or
(a)(6) of this section which does not occur after a
conviction for another offense under [such subsection]
this section, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not
more than five years, or both, in the case of an
offense under subsection (a)(2) if--
(i) the offense was committed for purposes of
commercial advantage or private financial gain;
(ii) the offense was committed in furtherance
of any criminal or tortious act in violation of
the Constitution or laws of the United States
or of any State; or
(iii) the value of the information obtained
exceeds $5,000;
[B] (C) a fine under this title or imprisonment for
not more than ten years, or both, in the case of an
offense under subsection (a)(2), (a)(3) or (a)(6) of
this section which occurs after a conviction for
another offense under [such subsection] this section,
or an attempt to commit an offense punishable under
this subparagraph; and
(3)(A) a fine under this title or imprisonment for
not more than five years, or both, in the case of an
offense under subsection [(a)(4) or (a)(5)(A)] (a)(4),
(a)(5)(A), (a)(5)(B), or (a)(7) of this section which
does not occur after a conviction for another offense
under [such subsection] this section, or an attempt to
commit an offense punishable under this subparagraph;
and
(B) a fine under this title or imprisonment for not
more than ten years, or both, in the case of an offense
under subsection [(a)(4) or (a)(5)] (a)(4), (a)(5)(A),
(a)(5)(B), (a)(5)(C), or (a)(7) of this section which
occurs after a conviction for another offense under
[such subsection] this section, or an attempt to commit
an offense punishable under this subparagraph; and [(4)
a fine under this title or imprisonment for not more
than 1 year, or both, in the case of an offense under
subsection (a)(5)(B).]
(d) The United States Secret Service shall, in addition to
any other agency having such authority, have the authority to
investigate offenses under subsections (a)(2)(A), (a)(2)(B),
(a)(3), (a)(4), (a)(5), and (a)(6) of this section. Such
authority of the United States Secret Service shall be
exercised in accordance with an agreement which shall be
entered into by the Secretary of the Treasury and the Attorney
General.
(e) As used in this section--
(1) the term ``computer'' means an electronic,
magnetic, optical, electrochemical, or other high speed
data processing device performing logical, arithmetic,
or storage functions, and includes any data storage
facility or communications facility directly related to
or operating in conjunction with such device, but such
term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other
similar device;
(2) the term [Federal interest] protected computer
means a computer--
(A) exclusively for the use of a financial
institution or the United States Government,
or, in the case of a computer not exclusively
for such use, used by or for a financial
institution or the United States Government and
the conduct constituting the offense affects
[the use of the financial institution's
operation or the Government's operation of such
computer] that use by or for the financial
institution or the Government; or
[(B) which is one of two or more computers
used in committing the offense, not all of
which are located in the same State]
(B) which is used in interstate or foreign
commerce or communication;
(3) the term ``State'' includes the District of
Columbia, the Commonwealth of Puerto Rico, and any
other commonwealth, possession or territory of the
United States;
(4) the term ``financial institution'' means--
(A) an institution, with deposits insured by
the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the
Federal Reserve including any Federal Reserve
Bank;
(C) a credit union with accounts insured by
the National Credit Union Administration;
(D) a member of the Federal home loan bank
system and any home loan bank;
(E) any institution of the Farm Credit System
under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the
Securities and Exchange Commission pursuant to
section 15 of the Securities Exchange Act of
1934;
(G) the Securities Investor Protection
Corporation;
(H) a branch or agency of a foreign bank (as
such terms are defined in paragraphs (1) and
(3) of section 1(b) of the International
Banking Act of 1978); and
(I) an organization operating under section
25 or section 25(a) of the Federal Reserve Act.
(5) the term ``financial record'' means information
derived from any record held by a financial institution
pertaining to a customer's relationship with the
financial institution;
(6) the term ``exceeds authorized access'' means to
access a computer with authorization and to use such
access to obtain or alter information in the computer
that the accessor is not entitled so to obtain or
alter; [and]
(7) the term ``department of the United States''
means the legislative or judicial branch of the
Government or one of the executive departments
enumerated in section 101 of title 5[.]; and
(8) the term ``damage'' means any impairment to the
integrity or availability of data, a program, a system,
or information that--
(A) causes loss aggregating at least $5,000
in value during any 1-year period to one or
more individuals;
(B) modifies or impairs, or potentially
modifies or impairs, the medical examination,
diagnosis, treatment, or care of one or more
individuals;
(C) causes physical injury to any person; or
(D) threatens public health or safety; and
(9) the term ``government entity'' includes
the Government of the United States, any State
or political subdivision of the United States,
any foreign country, and any state, province,
municipality or other political subdivision of
a foreign country.
(f) This section does not prohibit any lawfully authorized
investigative, protective, or intelligence activity of a law
enforcement agency of the United States, a State, or a
political subdivision of a State, or of an intelligence agency
of the United States.
(g) any person who suffers damage or loss by reason of a
violation of the section [,other than a violation of subsection
(a)(5)(B),] may maintain a civil action against the violator to
obtain compensatory damages and injunctive relief or other
equitable relief. Damages for violations [of any subsection
other than subsection (a)(5)(A)(ii)(II)(bb) or
(a)(5)(B)(ii)(II)(bb)] involving damage under subsection
(e)(8)(A) are limited to economic damages. No action may be
brought under this subsection unless such action is begun
within 2 years of the date of the act complained of or the date
of the discovery of the damage.
(h) The Attorney General and the Secretary of the Treasury
shall report to the Congress annually, during the first 3 years
following the date of the enactment of this subsection,
concerning investigations and prosecutions under section
1030(a)(5) of title 18, United States Code.